A term I heard software security guru Gary McGraw use when talking about how you can’t just do a static analysis of an application’s code and expect it to find all vulnerabilities.  That’s because vulnerabilities often creep into applications via poor architectures and designs.  Unless analysis is done from the architectural level on down through source code scans and penetration testing, there are only limited types of vulnerabilities that can be found.

In an IT News story called “The Truth About Software Security“, a spinoff of Symantec named Veracode is offering a static analysis service to analyze compiled software code.  They don’t analyze source code, just the machine code.  It’s not that it’s a bad thing to do, but I expect a lot of companies will view this as a total replacement for many vital Application Security techniques that are sorely needed to bring the security of the average application up to a reasonably high assurance level.

What do you think?  Will this result in a net “increase” or “decrease” in software security?